The General Data Protection Regulation (GDPR), formally Regulation (EU) 2016/679, is the European Union’s framework for personal-data protection. It grants EU residents broad rights over data collected about them — to access it, to correct it, to demand its deletion — and imposes large fines on organizations that violate those rights. The European Parliament adopted GDPR on 14 April 2016 and it became enforceable on 25 May 2018, replacing the older Data Protection Directive (95/46/EC).
The regulation’s territorial scope (Article 3) is extraterritorial: it applies to any organization processing the personal data of people in the EU, regardless of where the organization itself is located. A U.S. company offering services to European customers is still on the hook for GDPR compliance.
“Personal data” in GDPR is defined broadly — any information relating to an identified or identifiable natural person, including indirect identifiers like IP addresses, cookie IDs, and device fingerprints. This is wider than the U.S. concept of “personally identifiable information.”
The core rights GDPR grants to data subjects include:
- Right of access — to obtain confirmation that personal data is being processed, and a copy of that data.
- Right to rectification — to correct inaccurate personal data.
- Right to erasure — the right to be forgotten, allowing demand of deletion under certain circumstances.
- Right to restriction — to limit processing while a dispute is resolved.
- Right to data portability — to receive personal data in a structured, machine-readable format.
- Right to object to certain kinds of processing (notably direct marketing, and automated decision-making and profiling).
GDPR also requires a lawful basis for every processing activity. Article 6 enumerates six: consent, performance of a contract, legal obligation, vital interests, public task, and legitimate interests. Consent is only one of the six — a common misconception is that GDPR requires consent for everything.
Other operational requirements: a Data Protection Officer (DPO) for organizations whose core activities involve large-scale monitoring or sensitive-category data; a Data Protection Impact Assessment (DPIA) for high-risk processing; and 72-hour breach notification to the relevant supervisory authority once a breach is known.
Fines for serious violations can reach the greater of €20 million or 4% of global annual turnover (for the most severe categories of infringement); a lower tier of up to €10 million or 2% applies to lesser violations.
GDPR is one of the three privacy laws engineers handling personal data should recognize by name, alongside HIPAA (U.S. medical data) and PIPEDA (Canadian commercial data). They differ substantially in scope, mechanism, and enforcement — GDPR is a horizontal regulation covering all personal data across all sectors, HIPAA is narrow and sector-specific, PIPEDA covers commercial activity at the federal level — but share the same general logic: people have rights over data collected about them, and organizations that collect that data have obligations to handle it responsibly. Informed consent is one mechanism that appears in all three frameworks, though as noted above it is only one of GDPR’s six lawful bases.